What do you think of LastPass or RoboForms or other password keepers? I've got a small notebook next to my computer filled with 8 pages of passwords, one of the programs is appealing.I've been thinking of using one of those for all passwords but my financial stuff and e-mail.Thoughts?Cosmos
What do you think of LastPass or RoboForms or other password keepers? I've got a small notebook next to my computer filled with 8 pages of passwords, one of the programs is appealing.I've been thinking of using one of those for all passwords but my financial stuff and e-mail.Thoughts?You listed two popular ones. Another two are KeePass and 1Password. They're all good for many people since often weak passwords are chosen if you do it yourself. You only need to remember one password which is the one to use to password keeper. Why do you want to exclude financial stuff and emails?
Why do you want to exclude financial stuff and emails? I want to exclude those to keep it more secure. How hackproof are those programs? I would exclude e-mail, did you read the article about the Wired author that got hacked? http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-hona...Maybe I should exclude Apple and Amazon.Cosmos
I want to exclude those to keep it more secure. How hackproof are those programs? I guess you need to ask yourself that question. How strong are your passwords now for your financial websites logins? Someone that uses easy to remember passwords will benefit from a password keeper program.Also I think some of these programs allow you to store the password file on a flash drive. PSU
What difference does it make if I have strong or weak passwords for my financial stuff? If the password is a password keeper program and it's hacked, I'm exposed. I have strong passwords for my financial stuff, they are as long as possible with random letters and numbers. The ability to continuously accurately type these passwords, change them regularly, and keep a running list is sort of manageable. Add in all the social sites, boards, quilting stuff, media, every place I've applied for a job, health insurance apps, my doctor's office, shopping, civic organizations, volunteer places, and games, and maintaining passwords is a chore.Cosmos
What difference does it make if I have strong or weak passwords for my financial stuff? If the password is a password keeper program and it's hacked, I'm exposed. I'm not an expert on strength of passwords but from what I recall, you can create passwords that would take 100's of years for the fastest computers to crack. If your password keeper password is strong, you don't have to worry about hacking. I'm one of the many people who use the same password for many websites and it isn't that strong. I'm playing with fire. One of these days soon, I will start using a password keeper. I do know that once I do, I will be far safer than I am now from hackers.
I'm not an expert on strength of passwords but from what I recall, you can create passwords that would take 100's of years for the fastest computers to crackIn the grand scheme of things I don't see why this is ever an issue. Every web site that is worth anything, I would hope, would not allow a large number of passwords attempts. After a few (5 or 10) wrong passwords the site should lock you out for 5 minutes or an hour...or require you to answer one of your secret questions, etc. When you sign up for a new account this policy should be displayed in plain view on the signup page.Mike
I use LastPass, and love it.Top reasons I love it:- I no longer have to remember the passwords to my stuff. Every one of my logins (not just financial) has a unique password. So I don't worry about Amazon, Apple, Sony, The Fool - if any one of them is hacked, it cannot leak to any of my other logins.- Even if they are hacked, my data is safe - it is decrypted locally, by my master password alone. In fact, they WERE hacked. http://www.pcworld.com/article/227268/lastpass_ceo_exclusive...The damage was minimal and easily abetted by changing my master password, which I did. As an added step, I went through and changed the passwords for all my sites. Using the included Generate Password tool, it took under an hour, and now all my passwords were different than they were. Even if the crooks were able to decrypt my passwords - they were no longer valid.- It works on all my devices, mobile, desktop, all browsers, all my computers. I have access to all my passwords, all the time, not just when I'm at work, at home, etc.- It has Form Fill, so when I go to fill out a shipping address form, I click "Home", and it's filled in, including credit card number, expiration date, security code, etc.- It supports "identities". It knows by which Identity is active which login to use when the browser goes to Facebook.com. My wife, son, and I all have logins, and it keeps them separate.- It supports "Secure Notes", where I can keep other info like IP addresses and stuff.- If I ever decide to shut it off, I can export all my info and take it with me. I'm not trapped into using it.Their iOS app leaves something to be desired in terms of usability and functionality, but I can get by with it.I don't believe any solution is perfect, because passwords are intrinsically flawed. This gives me by far the best flexibility and security with ease of use. Ultimately I think all the ones listed on the thread are probably equally good, I just happened to get started with LastPass, and it works, so I have no reason to switch.Godo luck sorting this all out,GM
In the grand scheme of things I don't see why this is ever an issue. You are correct that it's not really an issue for someone trying random passwords in a web browser.The issue is if someone hacks in and steals the entire password file from the web site. They can then make as many attempt to crack passwords as they care to.It really only takes one disgruntled employee (or perhaps two working together) to steal a password file directly. And hackers are constantly trying to find ways in to various web sites, with the occasional success.--Peter
Every web site that is worth anything, I would hope, would not allow a large number of passwords attempts.Most websites are not worth anything.
I use LastPass, and love it.I'll second that, along with all of the other reasons GM stated in his post. Another thing I like about LastPass is the ability to use a two-stage authentication process (using a USB drive or Google Authenticator) so that your password vault is only accessible by devices authorized specifically by you.
While the article you referenced is discomforting, if you read the details widely reported this person violated a number of important rules -- like using common passwords. My own view is there are very few people whose security would not be improved by adopting/using a password manager. On one extreme those people who use Password, 123456, or ChangeMe as a password might actually use some decent passwords.On the other extreme people like your self could easily use a different, secure password for each site and would find it much easier to change them periodically - since recording/remembering would be less trouble. If your home has multiple computers and users, a manager makes it easy to keep a household database current. In my case, my wife is a Windows person and I use Mac - since our Password manager syncs across both PCs and operating systems we have minimal hassles. Finally - just because things can go very wrong and loosing all data in a Password Manager could be a serious problem - we keep a spreadsheet with various information including passwords. If you go this route, you might want to consider a file name other than PINs or Passwords.GordonAtlanta
Every web site that is worth anything, I would hope, would not allow a large number of passwords attempts.Most websites are not worth anything.It can be deceptive. The best anti-hacking blocks will never inform you that you're being stopped by an anti-hacking block. After, say, the 5th time that you get the "invalid userid or password" message, you're actually being stopped by a "tried too many times" block but the message you get doesn't change.But it's true, quite a lot of websites with userids and passwords have pretty poor security. (Places with financial accounts have security audits. Places that take credit cards SHOULD have security audits, but don't necessarily. Amazon, I'd bet heavily, does; Joe's Crab Shack, not so sure.)
After, say, the 5th time that you get the "invalid userid or password" message, you're actually being stopped by a "tried too many times" block but the message you get doesn't change.I forgot to say: and the response time doesn't change pattern either. If it's been the same for the tries that were actually processed, it stays the same; if it's been changing in some pattern, it keeps the same pattern. The point is that there's no way for the hacker to tell.
KeyWallet is an old password manager that stores userids, passwords, other fields, and optionally the URL in a HD encrypted database - storage.kwoI have used it for about ten years on two computers and four HDs and Windows 2000, XP and currently 7. It is browser independent, it works with all browsers. I still prefer it to any of the newer password managers - Lastpass, Keepass, etc.I start it with the computer and keep it in the tray and display it always on top.To use click the blue & white globe in the record - called a 'key.' Your default browser opens or a new tab if it is already running. Drag & drop the key into the userid to complete the form and, after the number of tabs you have told the script, it will enter submit.There is no synching. After making a new record (key) I back up storage.kwo by exporting to myname.kwo on a USB stick so I can import it back to storage.kwo if the HD crashes.What I like - it stores URL of important sites: bank, broker, USAA, PayPal, insurance et al so I do not store those sites in browser's bookmarks. Nothing of importance is in my bookmarks/favorites.http://www.keywallet.com/index.phpmy $0.02
But it's true, quite a lot of websites with userids and passwords have pretty poor security. (Places with financial accounts have security audits. Places that take credit cards SHOULD have security audits, but don't necessarily. Amazon, I'd bet heavily, does; Joe's Crab Shack, not so sure.)After the incident referenced earlier in this thread, a number changes were implemented by the companies involved. Apple removed the ability of customer service people to give out whatever information an Apple employee give out. Also they made it a whole lot more complex to change passwords if you did not know your previously provided security question answers. Finally they got much more proactive at forcing people to update Passwords and logins to minimal security level. (Like passwords must have at least one numeral, one UPPERCASE letter, one lower case letter, not equal login and be a minimum number of characters long. You can also use several symbols.) Amazon made a number of changes, particularly in the reset area for people who forgot/lost passwords. Google also changed the procedures by which a person could change logins or password resets. In short things at the companies involved changed for the better.GordonAtlanta
Gordon and I both use 1Password, which I like a lot.It has native clients for Windows, OS X, and iOS. It also has good browser integration, no subscription fees, and can store the data locally on your hard drive, or store it in Drop Box. (It's all encrypted.)I use the Drop Box option, so that all my passwords are kept in sync.There are other good solutions, too. But this is the one that best meets my needs.
OK, yes there are lots options out there!!!I have used KeePass for couple of years now, and I keep everything in KeePass. For me it has worked fine and everything is on my PC and on USB/Stick, Nothing on any Web Site.Here is the KeePass Feature List on the KeePass Web-Page:http://keepass.info/features.htmlJust my 2 Cents...TK...
I use LastPass, and love it.Top reasons I love it: Thanks for the quick write-up. I'm was recently thinking about going with LastPass and your comprehensive list was very helpful.GT
You are correct that it's not really an issue for someone trying random passwords in a web browser.The issue is if someone hacks in and steals the entire password file from the web site. They can then make as many attempt to crack passwords as they care to.It really only takes one disgruntled employee (or perhaps two working together) to steal a password file directly. And hackers are constantly trying to find ways in to various web sites, with the occasional success.--Peter I have used Roboform for a number of years and the above is the main reason I stay with them. I had in fact just started a trial run of LastPass when they were hacked. The thought of having all of my passwords in one place on the cloud lost its appeal.I use the version of Roboform that keeps everything local.When I travel I usually have my laptop and it also has Roboform installed. When traveling with my iPad I have limited access to my 'normal' websites except for specific apps that link me to my bank, eBay or Amazon.arahfool
I also use KeePass and I keep all my passwords in it, and on most sites I let it generate the passwords. If you use a strong master password, most password manager databases are considered uncrackable or very hard to crack.Alas, right now my easiest to crack passwords are for the financial sites, and the strongest are on chat boards, probably just the opposite of what they should be. But the password for the email account that is set up for "lost password" email address for those sites is pretty secure.I used to use Roboform, but a few years ago we had an incompatibility between Roboform and Oracle Forms (which is what the business software the community college uses was written in), so we switched to KeePass and haven't looked back.
I was looking over the feature list for KeePass and I noticed a couple things. First the entire database is encrypted, not just passwords and user ID's. I like that.I also noticed you can attach files to database entries. So I could then store an encrypted copy of my Quicken database to my Quicken user and password entries and then, if I wanted store/back them up using DropBox. Anybody doing that? I probably wouldn't want to attach my Quicken file and put it in the cloud but I want the KeePass database file in DropBox so I can use it over several devices including multiple computers running both Windows and Linux(KeePassX) and Android smart phone (KeePassDroid).I've had KeePass installed on my desktop for some time and played with it using dummy accounts but have yet to really commit to using it. Kurt
I want to exclude those to keep it more secure. How hackproof are those programs? 1Password has a very detailed article explaining just how their security works: http://help.agilebits.com/1Password3/agile_keychain_design.h...Excerpt:The core of the encryption is AES (Advanced Encryption Standard) using 128-bit encryption keys and performed in Cipher Block Chaining (CBC) mode along with a randomized Initialization Vector.Since they don't store any of your data on their servers, there is no centralized server to hack.My preference for 1Password is because I use multiple operating systems, and 1Password is available for all four, and (using their optional DropBox integration) keeps everything in sync.They have apps for:• Windows (I use both XP and 7)• OS X• iOS
Best Of |
Favorites & Replies |
Start a New Board |
My Fool |
BATS data provided in real-time. NYSE, NASDAQ and NYSEMKT data delayed 15 minutes.
Real-Time prices provided by BATS. Market data provided by Interactive Data.
Company fundamental data provided by Morningstar. Earnings Estimates, Analyst Ra